Analysis Overview
SHA256
359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903
Threat Level: Known bad
The file 359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903 was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Modifies WinLogon for persistence
UPX dump on OEP (original entry point)
Sets service image path in registry
Drops file in Drivers directory
UPX packed file
Modifies system executable filetype association
Enumerates connected drives
Modifies WinLogon
Installs/modifies Browser Helper Object
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-29 20:18
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-29 20:18
Reported
2024-04-29 20:21
Platform
win7-20240221-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
"C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe"
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/2924-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2976-1-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2976-6-0x00000000001B0000-0x00000000001E0000-memory.dmp
memory/2924-12-0x0000000000400000-0x0000000000430000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2708-9-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | fd7d221e343a8015dac97d0a01ba6119 |
| SHA1 | 41b70be8925e9e7b865e1d0f9ce9b9884bf7f9d6 |
| SHA256 | 0cafdcb51df7af6fb8f2864f215e76954e988f83704a9e72f33a2f64dcdfee13 |
| SHA512 | edf50aa055692d1d63c3f90b539c0924d5daa9d78b1fe6ab3330df9bf376de17316ec1ce92db9286456c6060c5d9250ad77fb672457e38e8b5068c206a442bd6 |
memory/2976-13-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e9c9ff612a956ccf9889e1f49cbae534 |
| SHA1 | 71a98428517511c0fc33ed0221b6b4f4d8500f39 |
| SHA256 | f1ea217e99c2f0e6ca1b1f8029672cbbac1bcdfb83631cf852ecf3e658f004ef |
| SHA512 | 245be445d5e128c97eb0ffc5b22e742e3fe3ada7811aa6393b2192281c48bf575d21a56f194b6a0f4addd884a529679d280af3c6a85f60ee029a757ab9525b20 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 62fd6b08f9eb0a4be335352b12581048 |
| SHA1 | 196f521ee15b7dbbeeedc0c72759f45af3056313 |
| SHA256 | 33eb97d4fe6a1d9a932327bc413b8ee20e3fdfb1ba089cd7c24b66d564a10f00 |
| SHA512 | 95517a6500c2aec5497d660c09829bd1c3eccc7fbbed46656987cd90159dee712ad931929e05049b811f45e0bef27c35964d9c02e497ce4820f52463fb1e78a1 |
memory/2624-22-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2708-21-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2708-20-0x00000000004E0000-0x0000000000510000-memory.dmp
memory/2400-28-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2624-27-0x00000000003B0000-0x00000000003E0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 829f41d93fe946cf987f6b352f40f677 |
| SHA1 | 61172bfb54f0dca9a153e6eec8a078ab849ca419 |
| SHA256 | 5d4a1e32873706242a184084a1d5744499930e298a6c7b2a0a89e9eae8c3d68f |
| SHA512 | 5c6858e2f5dda28d5f05198fd946a036229d0905dbc8356d881e835f269f8fc393468bf8cb8989f07c710c6ee596cfe507fda5c0a8f44813a6e28e2fea152674 |
memory/2624-32-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6037d3bad01a92dfd1a296de6a78d4c3 |
| SHA1 | 09f4b758bfaa149f3a7759a735bd4566073b24a1 |
| SHA256 | 7fd5fc57c8c2369d4a900e70b0053242c41a3301ec50d3455b964d82e0015b6f |
| SHA512 | 7ea4368bd7e8f044dd73484e1bd3afc1e696cbf51bd60ce7597b5fe339c75fde74bc9f74e5f33fbc4f22f773be3849ae5ec3f067ff39dfafd28c9d749237b9e7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9daef3bb7280fca3e358ae1d0c049c28 |
| SHA1 | cbcf1ada15e5a0a82ab85ae7e6ad09019a4cd3d7 |
| SHA256 | 90fe54772e3db733588459d39fa9500ec591ef701e0f806dbb9f8dac14e6358e |
| SHA512 | a8636a38fba5c7cb967af799d8b5c070ad9d99b5a74eeca14b5e774d638c791f483b0d23861e09a230e170f49129b062c539af76afd53fb3b060fb261263c9db |
memory/2400-40-0x0000000001CE0000-0x0000000001D10000-memory.dmp
memory/2888-41-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2400-43-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e4755c72749fe34621ecec4b850403be |
| SHA1 | bba827605ed1403e7aa2ccb26a15f467b51b86fe |
| SHA256 | 40d77b88d743ddb04b6818b844ae16413b3e2bd562b59e3f9d169618c052d925 |
| SHA512 | 8c1f5bbc1d5b3222dcb30bd3e930438047a38df514850f73d1f88e2cdf8a0e88dbd6bac2199783c1679c3969b410f742db74d7cc1018439fd7226bfec96a6eee |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 35149f7267c7e4c5b4287f54f0d84b44 |
| SHA1 | 9a467b3cf916fc3ed3d49d2b1f48240500a2329f |
| SHA256 | 502d959ca9bbf686332d7c8c6293bfefb360b34b4ee943ce5826b993a34fd30b |
| SHA512 | b9109b7731be11e1f5d69f5ed165173b64121fdcfad5684159b439d67604302b1b12c4bae3e46a7ad88b1920184c26de5f0f332343c8b92e007cee840801d310 |
memory/2344-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2888-50-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4d9b4815f44480b0c65a0fc4a5dd0792 |
| SHA1 | 5f2e8adc997700b4d99de74970b11dc70ac1aca6 |
| SHA256 | 9008208216ac6c0ecb3f02395688bc1365e8f937dab4b991870dd327fadf9d60 |
| SHA512 | d5c4693b1535bdfd388e613bb795834ff25b13020201b7acc1dae325fd8057f68d712a7e58e6c70dbd4817c793ea37428b9743bd8f6bdb6f192e3715cc67fc92 |
memory/2344-61-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2524-58-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e991f3ee5fcd75f0c78962fb0900e4d0 |
| SHA1 | 4b18600bc8100ef48d0dabb2a894cdc090ea44c9 |
| SHA256 | bf5b7929456a256de4079ee280f7b1b203248acc3717a4bdb7719f3cecb0cb66 |
| SHA512 | 18884a1ade2c795ddcadaad073ed1c6fc44c73dc0e3a9e90584465a29cf0869d8d1413e9239b8f76395ef96a812ad50bfaf8a6489affafdf71237201a0549f41 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f6e52ddd85a1de01a064846345746646 |
| SHA1 | c79d20b01b2f49705d59ece048763cc745fc1ded |
| SHA256 | 2e35febbdde317c569835a4aed6d01bcc1f8bf8c023e5a8b7374647d9817e374 |
| SHA512 | 11dbf882bd6f81fb8025a32842a0de9b7b662dafd610bdf6a5b25791e3b1445a8b5a4f3fbb41fca83b7c627ec2e861163cb0802179b5b107b9e33701bb6f4b45 |
memory/1852-70-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2524-69-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2524-68-0x00000000003C0000-0x00000000003F0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0a4a83fb4c76fef942118bcea2ea4c57 |
| SHA1 | 0f50e8bba1214de32414186f3fef78c0dd85d24e |
| SHA256 | 46716d9fc678e239981fe1963576d3a77adbe4adaacfdb7920c88bf1cc8df00b |
| SHA512 | f20da3eeb437800295fcadc428e06110bcdc064d92341305881cef625113022e009535de85144b9178c96ae4d0be0dcdd4c3e228043d45e1172548f9dfa9c798 |
memory/924-78-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1852-81-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1852-77-0x00000000002A0000-0x00000000002D0000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c0772025641b0044c9b0999d12fea0c9 |
| SHA1 | 751a8dcad772c2fa6476e10da604728155e19a8b |
| SHA256 | 3c77dfcfe89a7d77de59a05a3646bf50ae2a5c9801264b5fa23bd9870b25e7ab |
| SHA512 | cf8e89fe6674e07dacd74fb245b75578cc8a32c42d61e25379deb2a38ca5b7b51adef86076249e7a2bd6f811e2007082afbfef370a85d7d90c387a4bae9b4406 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7d212259b696e7662ec49c190b920277 |
| SHA1 | f2a8253b43d5042dee1edb12520dd76521800586 |
| SHA256 | cdbfc7eee0fc54d811ce2a257ee07b10f37825f11f2101293120fad97da91964 |
| SHA512 | 1ad6849048c31983e90d5c08d9599708677bc2147f4dafb50af934c6f974994cf7af4ff4ef7e6f44e75ebd0c4589e497e4c80432bb3de9c9e2f352f10a9c2767 |
memory/924-86-0x0000000000430000-0x0000000000460000-memory.dmp
memory/360-89-0x0000000000400000-0x0000000000430000-memory.dmp
memory/924-90-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 81c521bc22c1d421aa7d7b3cd4533b63 |
| SHA1 | 249b2664c096b92f4208c21c9d29b39961746a83 |
| SHA256 | b69e31fadd8ad2ca4aec8c5d811ceeaffecc5ea01be6b308aa8be1c794720b05 |
| SHA512 | 56e2fa9e78616845186146b8d80a9ebdd61fe77dde4787ac4e52f136b0faff764e28bd01e01a9ea0f50da0889b865556574fe85763850e595504944e91fde171 |
memory/360-99-0x0000000000400000-0x0000000000430000-memory.dmp
memory/632-100-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0b738234068c542c939404dd00da14f5 |
| SHA1 | 2991ad52a82bf9d42c6d2cefccb928f6c6ca2bce |
| SHA256 | 6068bd87ab533261160da136a97e17153884283377dda1e9dcfb26a2d9c2b865 |
| SHA512 | df77f25ac2b7ab9ccc9ba63aecef6b9ef07e707187e7c39b9591b6a7a9f2cbe7148df757c245ff21011614944b916ed1ab9f3bc0a0877d30d2a94742c31c4b63 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a023b57a090304eb0a7c78d1dc7c2b24 |
| SHA1 | 64c9d52b551cf15f4399ebd025f9b0f01cdcba82 |
| SHA256 | 7dd261d3a1a2e49db40a35e96be0008172b1c2b014c36dbe643a5b7bfcacf2a6 |
| SHA512 | 858e5addc927f7f4ce91376b4b534fe499a8189b42e925e3da5b3b77ea7d84e330e110d07f3f5bed0c014f99d496165e06a09f0cbf341473642171ed0df782ed |
memory/632-109-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a7122dc0b16f1641d6f99f4902a138a6 |
| SHA1 | 6099bf55a4e55c2b56276122392fa54f4b7a6fe4 |
| SHA256 | a03fb14042da0f372ae4850a59c535b6a51d01f6f0312d57d37604c0bfb1e901 |
| SHA512 | 28200c9ef4b13f0b4f6f4ac78ff76ff3cb3c657371d9032c755216343dea5d6dc6be98d71acbdc1de67ff26042fbb91dffa3c16a27fe1522788dea9c3ffae975 |
memory/588-115-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | cabbc157f46ca5363476b44fef7ea3b6 |
| SHA1 | 3d7390fe187f948da28689ae417e91bcde51fdc6 |
| SHA256 | 86adad3dd1ad19957fc40110a264a2110deb1e34e992c48c2982b2a62a8176f0 |
| SHA512 | ae6114cc02ebc8b928d72090b396849a2e138546685ae546ad0a50c858b4086fdafe28a46fad217dd89bedcab017e4c47982d61796b04f3d7288bf7bfe8bee66 |
memory/2824-119-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3965269d2178adf74948151f5ed0de41 |
| SHA1 | a194d9271abd878ffa2993753e5b676a83095f29 |
| SHA256 | 234937a281073748bd22448e547fc376bfdb56b8c8136f3f178bc23c6cf7ded3 |
| SHA512 | 29e4b4833fc07173cc229023ea52bd4859b1e6d4b67a12093cf8769e07cb24df092574e1a2603b5971868703051a0ae11a3714f93f201739e7e4ef05d8d60cfc |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | da26a69b4c2ca6e660b25fdd6a579646 |
| SHA1 | e66b8575a0d6dfd55e96ad25d6c0b84efba1f7dc |
| SHA256 | 654b73f5533782c23de27f06dc26174808d992d01e2fdcf598b9271df1252e53 |
| SHA512 | cfb2db32822b9f2a548ae0a761b2886b80ce7c5cd63265639f4b1e4ad86ec17facedfbdb695e5c030cee98dab1c0b78369c4e88daf14285ea32b58669321c6fb |
memory/2432-127-0x0000000000400000-0x0000000000430000-memory.dmp
memory/588-129-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 367086ff765c45bd42728d494214caa1 |
| SHA1 | 2746fcbc1f38b0a888b8857968e53f8a08fc131b |
| SHA256 | 25536f8aa0452255961735d600222b0e4a3c546f08c39d862ddcfc11431f42f4 |
| SHA512 | 071aeee9bfdc6e8ce1d08f0a7cc924444d71f4afb797d0b3a21ff0cf1bac7e7c79a68adfaab0791b4c3f5421c02afbae44dfc0c150567e8a65cc26c5b55b3869 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7412c43914d76840319604e94014bb5b |
| SHA1 | 7c5549eee323b860a35c95e177a04c07e442939a |
| SHA256 | 62934952d371e1bc166d03f5bbf0a55613f595c6f67d0d58f4f41ef86a19a6cf |
| SHA512 | 122e9007b7a0f4cfa3f2b1e0b92d86695925f887a14e4c93ea733dc6716fd4ea707858a22d3f5380e6170371f50a99ab533154bbaaef6bb658edfc8f892a57f1 |
memory/2432-135-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/2432-139-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c0274ca43912187b37f93b991b75489e |
| SHA1 | 9bfcacd8db930b1a7dbb948243bb89426d150843 |
| SHA256 | 7d26fdbdfbe6d3754b53fbfde5f85f3194150f39d2e321b93747692fdb61fd3d |
| SHA512 | bffbf6625d40a31adcfb51940cd0a9c9d6fc4ff4641b6e766294cb793f38d9aa5abd05ac20ac340336f9eeba0f7558189547219e619d60e11d845b2de04d7ee0 |
memory/544-145-0x0000000001BC0000-0x0000000001BF0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 238e71aa794d134b87c6e21cb11e47ef |
| SHA1 | 0679ebe2c1b0a05bef7fe4164a9b31b019be116b |
| SHA256 | 4b25833dba0d6b9716ebf0648bb24d41bcd6f1651051932ff82a15aa1e75e362 |
| SHA512 | cd73bc7914326e7f5c5b7645943562be36f46d1279f507942330846294c7b0aa33d3184c4e696890ecf1c80e074973e7f22b7a8690c246d11649d5a9874465c4 |
memory/544-149-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d0574a78147a255c257d095543de1c0d |
| SHA1 | 1688843f417413817980dae014ac88168138a4b9 |
| SHA256 | 508ddde390db327c67cc656adde490c4cab15e4bcc06a6d8f293e254a23d5e7c |
| SHA512 | ec1d78c4e97b6391b4b323de7f042e3d074d6bd5928a5ed5ac3f2202d092d466a0b2f0c973d1555524cfbfe8b41d1c6cdafc48c2d3721092d1f353679d6ecee6 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d63ef38ec7ffabb91035e168e665fa3d |
| SHA1 | a8b12e11ef1f4130c3f61ffc83aeb30e734c6dc2 |
| SHA256 | 7cee57e901b17c81f22f71a5e2d8c28188219bbf17d52f123a50299c76b49d5f |
| SHA512 | fcca1e109b891a5889405ad3e08d965068ce8bfedc9992ff26fb451d8673210e5eea5dee0e9987286d68f3fb796379da63ca5798078ce61c6360721c6b55094f |
memory/1008-156-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1420-155-0x0000000000530000-0x0000000000560000-memory.dmp
memory/1420-158-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3b41f4c0caf004b68acce90c327f55d2 |
| SHA1 | 012351675732e7003151c0939ae0ac7ce15f9c8a |
| SHA256 | 61003bd006a389d282ca8ffc50975d1d84c5ec6c1010f04b0735d47708803c79 |
| SHA512 | 606588acdd2990515a9fb161d4d0d51b4384daaee542fdcdb8a85723fcbc3512d3002b5c604da53298e5da8719b2a42754033d8f32cb62bec06ed151d5f6728a |
memory/2288-166-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1008-164-0x00000000002A0000-0x00000000002D0000-memory.dmp
memory/1008-168-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d5bed48e0b5cd904e319d76ec8c09b28 |
| SHA1 | d398946fb3cde21eeee54cf509268fbe16f7a043 |
| SHA256 | 3fd0d912085009e77487a1e1364b806dc1ab9571648342b4917dd57ee4d044c0 |
| SHA512 | 4fd11bd66cc3a64b3ad36a592972562ceb97da4ddd3bd028849b3dd363c5fe7987fe6fb9183760a7d412caba02fc43ac70283b2e2c788a989442c2502b8a4278 |
memory/2288-172-0x0000000000370000-0x00000000003A0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1c3d5b322a2443561fddf79757fd1e4b |
| SHA1 | 71f9c2ab8e9dc56761cabf76d7cb29fa96b07915 |
| SHA256 | 547b81465031da03293bf17e1f02b7bdbbbd2b0bfa42ff6b4719ca989cbd509c |
| SHA512 | c2462409a13c3a5c19592abf67c2b064619ebdd3b3a7f61addb87c6f3e6b34cf6e0114f4e6b4d800725a60dbd14b3bf8024ec81c9c66d757da7016e1087aafdd |
memory/2288-176-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6b7f4ff023cdcac498071eac16e22032 |
| SHA1 | adb22a6d4d64d4824fe847faaa27dd7d250977d8 |
| SHA256 | 006d9a108fa7fc69028db56d6230042d3d1b85092fb69763ce9b13db7b145f51 |
| SHA512 | e6b8e0f53d6daf70126bd24b939aeb16dc1199c5a1e2a85d40ce2100c0b94dba4ee7fa0914db2dd658629e738116e5c37329de43b26a8d234815bac3d3c50331 |
memory/1248-182-0x0000000001C10000-0x0000000001C40000-memory.dmp
memory/1276-184-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1248-186-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8d8121fd3e7068038706e828782c8024 |
| SHA1 | 528d4d1a0b9a166b3d3af5f8f2fdeb0bff75cefc |
| SHA256 | 6babca6713680589ecf2149716a4ccf43faba1f055d4e5eabbfb7025bcc3ac31 |
| SHA512 | e304e64da90b65d8f307ac2d63e869833cfb5d94bd1ccc7461bd7f6efcf152dcce4340a9e7da5ec2679952a3d51af2411739ea0ac5d17d87d8bf16318f6622fe |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2e37272beb2f0f91c44fc437e32cdf55 |
| SHA1 | 188f9a8da11d70f2f506de7aa534bd4a63756ded |
| SHA256 | 6b5175712d9864b4f818e4a0fae034a12efe23b43bfb6edf687b79d699b909f1 |
| SHA512 | 58970186e97560cbe5eb331c1931eb7d5cc6e30f843b00ee5952eee89aa909cf7898243e78f35a5392a08222589729c497b9ca759c0cabb646f9620e1aacb239 |
memory/2920-192-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1276-194-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a61a90e0e82fe092cfb5973a15ea4c5f |
| SHA1 | b07507fe35f7f24a9590dd3eef359bf3a8164b22 |
| SHA256 | b0cc49d59d82d0184de0a83ff50cd0d6a9d9dab4a7ea71f4f39d756aa4be24c9 |
| SHA512 | fd1057c31aa3e73b07eb1c503d3f88ec9bfc3a0c59380026e3fa829bd413816360ece9c58b70fb74e0819690957843fbbd90bb1373b30ae51eaf21c36664e506 |
memory/2920-202-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 07ad80c68b9fffa6a855630c46714ade |
| SHA1 | 39703bc6da95344bd605c0c461111f9491c601b0 |
| SHA256 | f5337f3c136d36b55b3b3ec05aafb18712d91f357d08fc35dbe0250073dbf35a |
| SHA512 | d1e25bf0b801e1080249f24c566c1c28f8bf78b2812a14e4369fabc87c95153ad348cf0932ae52ec84ba13d5a4b583782020ee4f7cdbc63c5a668b16b2134949 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | dce29417fe06b91a4d09c97a0a09638b |
| SHA1 | 855234826c78d6cbe9cdc529e602012e4025d9f7 |
| SHA256 | 2cce0c9f75b5caa997d0080ed2773092e62085866322139f9be13462455981c2 |
| SHA512 | 4264f8558f93c3f2f7fb777406f4bbd9f1e464f4d46192e906d4068d9be10601a27761014b837d740c7ee49c5f93b891ef07873112a741a2d420b1f67830954a |
memory/2976-208-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3024-210-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 53c9707d09c867d7b75781420f40db57 |
| SHA1 | 4267d17fd44747e98ca47a93bef0d83e6387432e |
| SHA256 | 98ba50fb9dc4b7a180d56058ed1fb0857fd4e5a49b4f904217c6ed13c4a2900a |
| SHA512 | ae7b86254cc68dcf0e624bf52434695060e3cf0d72fe25ac138719ca3b047703659e9cf7ca0113f178480ec7d56064bfe839b9441f7281f5ed683cc27210ae87 |
memory/2976-218-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a115201fc52675293706faf6544c3edb |
| SHA1 | 47544a25952ba5f66377d6fe6896313ea632599d |
| SHA256 | b05ec31a07b4c8d3c4b5060820ca77369ad75ee30dccc34caeb7a18f04383ec7 |
| SHA512 | 5dde78366641171d3e9af7527420fdc60a8b60fdd1639c20aa8618f44c1a63c18e1701e05c5b1187a8ef50d0f831757d12f87b8b3e03ac16ba3d83c08ac1c23d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f216b2413d7b03ec7753442fc6e3bf04 |
| SHA1 | 0636b5dc185970b988d4e13e0c8beecd46c275c2 |
| SHA256 | 5d2d17801d8809cf9b2c7feee358b3a0f60fce5b7f2825385da5c991a687a594 |
| SHA512 | 64ba1627cf53e14665dfadc69bff888123b4864d9fd508eae8ba8971bf5a8d08eef0bfa309600ed3081e554b283cd58e676bfc41e1b8b123c448f1ee74a6fcc7 |
memory/2580-227-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 101c94d8f4099e1d71415753752905a7 |
| SHA1 | c3a131a2ab6832ee1004785e1142b668f62851b2 |
| SHA256 | 1d6f69da31632d6effeb0dfbad67056d7ef6866baa464ec96ec8ed5f5f075087 |
| SHA512 | d84158df88f745512f3b8b0add3e33489b346b89b7fa0fac97def90491f4bc65ca2798c65f190a1cac37f6e73d57d46feb5399b48f2ec8f83f69f2ea5eb56c52 |
memory/1736-233-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2476-235-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1736-241-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2352-247-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1800-253-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1860-259-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2180-266-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2416-265-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2372-273-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2180-272-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2080-280-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2372-279-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2080-286-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1448-294-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2808-293-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-29 20:18
Reported
2024-04-29 20:21
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
147s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
Modifies system executable filetype association
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
"C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/3620-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5f08fb3fa475072df4906a25454e0a24 |
| SHA1 | 8e3343f3b0f9c2816e5dad958b71b3bfc10166ec |
| SHA256 | efcfe1059d017ac036213bc7e940e63f6649e859b6bb9b7b75aacef5bdefbf33 |
| SHA512 | 2ea90de8628b73b26df4305bed8c921b288cb4efc420f9ccf99637aa94d535e797f544a0d0d7cdd87712fafe63033b81d43e180461e9a5ee3952b5fef4ff1fc6 |
memory/2028-6-0x0000000000400000-0x0000000000430000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3620-9-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3e22a7d0660295f4ea1273c649c08a6c |
| SHA1 | 1de710bb50d2a71b19c943a28f37c15cf9c79cea |
| SHA256 | 418b4f1d49e19673f01a8560387bc8b6753cb2d3131f7eaf2391308f91e58b24 |
| SHA512 | 99905c88b0811f77f7637c6c885c196e777346c8d0c41ae586980473f9ca1578f7c16a02ea1479c2ea3ca5d8a24002771de5e44b31ccc232263976f921dba76a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ffae328274ff8bc8aee91c5e08ff353e |
| SHA1 | 45f6d72c83c66394eae77ceb2a17a89d7106b12d |
| SHA256 | 7a268469076f3fb5b20186b1a37a9ffdbdaeae0079a1ae12ca0933f7254ad7a4 |
| SHA512 | ec0ec76f98119176bdd4fb8b92505bc77e92ca706484132f17e70d3719d1df8894bc1b07e9d41e159376c1b4c07033ad85a6cd1b60b1d8e5c8e36ddfb7d3e05d |
memory/844-20-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2028-22-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ef36a80517bd4ebd30d4585c8435044b |
| SHA1 | c0c1639665b799884937c9c43378bca2347c772f |
| SHA256 | abb289c3c8f254308104257020401d10a1a1ca31c73b540bf717876ae6f99a76 |
| SHA512 | aec69736db4fd56295f7423a0622364d8542c89f6e1ee182e8d0f68a8c277467a257cd7a8b03786ba30a7726ec5fda25a2925d7b975fe98886df0d1b2312bbe1 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | dafed2c3a57a31345dd6f48a1a77a066 |
| SHA1 | 9262fb78d321dac60b899c00e1df4fdbf4790812 |
| SHA256 | 1f7be90da5e5a930f03e8e3861d3b99617f7169cc6aae859906c5ca91e02f26e |
| SHA512 | f1fa67cf7435519d3b35de3f40ffde408f678134872e23b7d615ef607179176b17f9d06132c30044d541f9c22b8d51bb5a5b6ec7fa1e603cd84bd6cd14710fe9 |
memory/3928-33-0x0000000000400000-0x0000000000430000-memory.dmp
memory/844-35-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3432c8ba2c4d5fbac0b9a64882157730 |
| SHA1 | 2c4862eb24f8e24bfe4bfe6b9d1c17c8bfbdda29 |
| SHA256 | 3f6549ea892bb36c25e7713768648ab41d244cbf9043af76433df06972bbcc9c |
| SHA512 | a9dba72fae227d3c116052a44079ee7fc6ad8a62dee1df810a4b28442aa0b33b66b1cdea635bca6b2ce353b5d38e9c5298d039e1087c86b85a4ba587abfc643f |
memory/2484-44-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2273856d0ab2b853bbbfeeeb173f4c0b |
| SHA1 | 3e65166cd0d4357992dc6d913bee2bc3141461a4 |
| SHA256 | 9247bea92c582d8d5590c850d491066d8d5f014f691612521b9b2d2aca61e3c9 |
| SHA512 | e6173aa1c4c9638dca0e4634efa2fd38b3d2f4e4a3d1121f107bc224d8f12c25f1080ade862223f0b394dda66bcb65647a8224036d4e2e96e791963122683704 |
memory/3928-48-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6d4ba692fb98eeb823ed9013420d9087 |
| SHA1 | f62a909e8128e2149d1516b9c9270cf7d5e97a7f |
| SHA256 | 1c39d2015180b057927ea9b0b0ef14a468c16c1fb24e01c8995cc5c40488702d |
| SHA512 | 9f3e77cc2b318504075dd25e1e1ca335e3c15ba09863c15452bd26dd682135fafc76d999bc361f2caaed70bdaf3a613c8cf228c0e6e54346c9505bd70a5960df |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 73c5eeea15d3a8b0fd9c32bf42edba39 |
| SHA1 | f14a81be1777bb261bec18383cc611e6c2652761 |
| SHA256 | 268e84ef5cfa47082a6951da55040531e64597118f3be46337d5540c0482f64b |
| SHA512 | c318eb3495fd90d04448e3a79025d9e38b37c90e975d400b3005afbce2447f94dcb37e384550048bbc61a22c0c881bb41dfcb5b2b438c9b63e49e4d9a30489e4 |
memory/3164-59-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2484-61-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 181d006bfd3e44e808602f822d56457b |
| SHA1 | 961d1bd8492aea831da22a2ce984c0c457ca5bd2 |
| SHA256 | a2353f50b18bb875070da0b1a86cac49cb26202c73b52a687baaefd65d81545b |
| SHA512 | e054fe7f87093f4b1653ed4c8b2d7f2c3414a9a8c73350df0b0e5740300ee1bc0eae33ea5e2c078c2dfa2874dbd8a1d0b1ad41993560aa9f33ca641668fd1ede |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b24158eb699e364b2cd50d882645d35e |
| SHA1 | 9b8b61208d1ba8233427ef939194359508a88c30 |
| SHA256 | 93950754e73cf932711c7306c061ac1edbdce5b8a5ca52e64423c71106657edf |
| SHA512 | 484f4e3329ad098575c3fcf722d60dce94e78c5ab7ae80cc0abe82457fb92b5254a4708b01dd3c7fd117fd5d8a5057ad04f3afa4f4be52a331e9bc3c5033bf5d |
memory/4688-72-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3164-74-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ff017bb946e16d5a26edc2260c81eba1 |
| SHA1 | 13afcaf785f4fc99ede3fa40424a67af67ac8f15 |
| SHA256 | fbf1ee2d30a9b55500fcae33f802bb384b48fd382282990053e9c491ab3ed270 |
| SHA512 | fc7ad22d38e824022e9df7ce2ada62ccb80d1fb9894a24f0749326cd8751057a0f824dfb14d56e1c1c8bf2756f8df3aac8601aa0666d2ac4c19ea0d7d487bee1 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 01e54ed4db626d119d7e3b92c0d808cf |
| SHA1 | 14b2372dc082c222dba172b22d0b4df4a5456cdf |
| SHA256 | eefd844cc936313aeb6481b2b17a33f8e21798e65ece261657c2d00db2f9b03b |
| SHA512 | 6fc6ebe2a02724ee323de3065d1750d218c69a3ac96a41974b012e56a3fe37353ae838ebdbf3b5286988cdc32cf61bbd4eb6a8ac77489c6a3608f27f6c085f71 |
memory/4688-86-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | deb1a9525387d823a1037b3ae2c1f087 |
| SHA1 | f0b385a925ac8fb8d259113d1625eab443c347e9 |
| SHA256 | cae6bcc1386f3733b2df256671e8fb26001c815d44c0c3075494330aadabe96f |
| SHA512 | e017bfb8a40177c235c22cfeee35f8336aef4f6cadcc575950377d16dd2d2163237bf2d6f92b2236d74c66beaf4e37650c75bca2e92869ce8240ed6bdab61a07 |
memory/4764-95-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9f96e1af787d1ae8cb148c3d1cd640cc |
| SHA1 | 6e0d67c38a59c3a222bcdb1e5ca797378ebac4a4 |
| SHA256 | ff78513bf273810360418887c3d0c902f2fec18be00ba7db19ea41e230a090a6 |
| SHA512 | 19aec4b959edea7c2ff1a2b108e2cb80fabc92dcf790b679c1040ecd0867d500ccab44d1bbaa3a91d1e5b6d72541bc8828cfaf6205aa9c43c61f74cb02c13575 |
memory/1828-99-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 23446aeba2d9acdb8b5e1e95a20542ae |
| SHA1 | ed53a967310408623bf13077633b52e60db7da0b |
| SHA256 | d348a55ffc4b979460ab3d15ce57e77e644364e8a96503c1e105429ac3d84c44 |
| SHA512 | 6688bb9179d137a6015d4e54e1b10c4867d482e02ece49c2c88fb5b076b19d344e2b4098108a82b2718668589e23cf0dd57668999e3c5e806e5f434951a58856 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 98e3d413b05141bb36582bc8f89fd22f |
| SHA1 | 030b25e648a586e1687083521500f16f0b9600d2 |
| SHA256 | 07556d0055e6116a9a6dc1b5006db6625acccc951cece08e467050898f24d3dd |
| SHA512 | d00a2b1cba624aa28acf169ca4e7c1e9a73c471a6cda7c048d9cefe201d8544427a65c0abfc8678de708c32f38dc0f4433c5ef21dec2467905397ce53925331c |
memory/4380-110-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4764-113-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f7d8ee4793ed97c312a6ab09376f49fd |
| SHA1 | 11b98dd2598f60652b1b1a0333b3a97ff3740d03 |
| SHA256 | 2206e9ef1065bc90ea73aaaedd4d1972fc0de2edc70399b96bb13fd36ccfd259 |
| SHA512 | 4176f28504c9d84338d713ef2c7af03cc67636112623597bd3b3f25c0d84a2725bb6ba408ac4e22f3cbf93238cf82ff840075d116ba86142f7c91291f5b8a5b9 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c922fb1dbd6968017bf5c14d29cf5ed6 |
| SHA1 | 4e6a800584d10223f123872382f65b3fe98e65f6 |
| SHA256 | 63748669fe17d8b74dba6386c221331ff22d7c3ecc64374ce2c42eeb769bed07 |
| SHA512 | 261a99e17a90def59a421a91aba11f809f49cf5f6a191d9a5745908826afce20b6f5ad0f7c50ec33e279b8fbdaae8dc30e3c5e94482196eeea82a68b7f593c4d |
memory/4380-125-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 14066509b8b066ba64cebbabdd14293d |
| SHA1 | 2e3598ba4a515117f73abc5d06816dd0cf5aa92f |
| SHA256 | 15c672d37e5e4a6018cccfce57ca9a40416d05507fc62ca73cd6cfc357ed4c5b |
| SHA512 | 1072a01c7440c4eabeaccf4d73491034829f64589ee94a2a7703a252fa6661a3a5eba68dd7cac427dab17079259a4346c4d9cf4bad515329cc6d443470e894cd |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 568c2923288796d51a74bac92f971ca6 |
| SHA1 | f33ae0714f49048dd2fab7ec974d4d3a56b6a7bc |
| SHA256 | d74ed6f2500fcfe6774efe07287acdedf2d6b444e4f0063301ec2fd7453acd94 |
| SHA512 | dd08b4f48cc2769835edf5c67e34bcb6fc47ac32d5c2486ea0cb46a12a363a004946d22c77a1fd26cf742368566c5bd21525746d9482cd6a44028099ed0ae1bb |
memory/4920-136-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1368-138-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5b9a5265520787a005d752db86690b52 |
| SHA1 | 54c98a7bbd2175d63c17ed9a790a7fd860bce3ef |
| SHA256 | da2c1fb960eaac3d944aacd80ac31a0b703f048b5f6d70117b963fe07c5ecd44 |
| SHA512 | 30d41440491d87de49e0d932d9f34a0270159f1f5805f3a4d292d16626eadb681b0bedb811111f241778edb87c6d1acd840277bc5e2512ec49edfb084bc4ddbd |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 343648a21362106bdff594251219722d |
| SHA1 | 9e7f7ee7a4888a0995d5b62d95c193c061858eac |
| SHA256 | 2ce970eb054bf3aa5f0a19d65d42d0f51cae9ad5290634b15ac0e8a70397cb35 |
| SHA512 | 78be06063370e5a247f96d61376558506b6eeebd55e7099966491781bb235174f1074b56b991cb828ef65ba39043e88f25a9160f48fd92675bf6cca2ae20e042 |
memory/4920-150-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 91a442b6023308fa9b2562782c152068 |
| SHA1 | 6cd0f1bb67ff3f1e8442fba692918809b23f3ead |
| SHA256 | 1810652eb84fd60afe807577a040f8610cae5098a034ba8428dfa4eda0e983d8 |
| SHA512 | e8ebe256beeaa51045aab46e08635dc83b1b333273e52ba45f7c754118087e02c6a0bbea8f88da8742ddbbe3f688ed4b0969f278768aac0bbec7806942c2286e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | aaafa19a7902802f4647b95d4cb5393e |
| SHA1 | 4e35bc6a5b61f2ec6f4ab4e89ff6df6f7790603b |
| SHA256 | ae43c720fb76a95cd41f551b871c88461f2bb3c221019b00d89cfd857cd370dd |
| SHA512 | 9c944117cd7eba5bf2dd4f2fb14a595fb25ca4aafcd3d40d35733f04ca2457a095aa936cbca0c7e51929b2f243c31387747beba1531231f732281c2da04b54d1 |
memory/4300-161-0x0000000000400000-0x0000000000430000-memory.dmp
memory/780-163-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c80030406ac5f5ec1dc32e6c138b33b8 |
| SHA1 | 2efa7ed8080872e7110009ff09b7b6d6c0b4bfb3 |
| SHA256 | a6dabf75062f103eebce7a8c3b69636780ec458362c57923bcae69adf9cc68ef |
| SHA512 | 0a5eabfe2d8938340995807d4b4e91b8a1532dbbb90bafa4912c4e60a8441eaf6b4a8fbde381f5f98eae5e99635b663589e18c379821eb68cad57a1862a093b1 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ca9ff0e14aa8990b7ebd747641a2acbd |
| SHA1 | 588ae17d2070ac8b5db2399d14954ac39d187664 |
| SHA256 | 04b5babd6c93e50179ab25606f7f1b4e7867b7ff91216ce2d1437a02b7127070 |
| SHA512 | cd33db1c07fcd06967e098a4755f37c0630d979b02205520bd25c73e45d617a01d229a366c9c66000c4cfabbdda1afbeb0166872cc6f23a86acb97fccfae0cc5 |
memory/4400-174-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4300-176-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | cf286ef6bbd7f363effe3010354166d6 |
| SHA1 | 55117166ba7760be0a29e1588cf495a6c5b14661 |
| SHA256 | 74b9aea22e79a6afbaf5cce765948b811f7843628906837d1a57e07334b75dc1 |
| SHA512 | 7c06514c067b06ff98510a289ea7af306aac864418b5f9a5b4adcac53e08cad309be22929795f52ae67f9964150aefb838fbb04a3647e8172af96ef6926cce65 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2964fc6594d03a116deab4527abcfbaf |
| SHA1 | 7a3f278376de9d43239aefee1d5f2166a006d945 |
| SHA256 | f4e3559357d35a3b8201e84b9dabffa1c0601cfdaf198167dcc5a83baf92f27c |
| SHA512 | 05a9eade27aa17cc3ca06ec2d56bcbd2e5f514afb8a872c8f79576268033a681f8a205f8b01864d4e2e708a58f43b1dfe1b4d77cadd79ced176a34b52fa3b422 |
memory/1452-187-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4400-189-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 35e3a6b845ef86476386f34ae96e7311 |
| SHA1 | af4fe6c3ecd8b4278c98274424a4bcdfd6080ce2 |
| SHA256 | 8d2b2905200810635c8d12bbb8d15a84162c6da217c778c78414412b98e96012 |
| SHA512 | a559e31192c011aaa19c6f9adb12ed716fe5bb06c80d59f629ee0ed19d4c580b0ddc5d31284fafea1e34526d2bf59abfa8140600ae53ec735277bcbf60103793 |
memory/2624-200-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 62b2777b4a75dbb815ff8bc89f9ff17d |
| SHA1 | 7f9b2e878583191ded15b098f245bbf06f4ca9c9 |
| SHA256 | 87eeb728fa10199e2bd740fbd682e24632e562d88e0d1512303fe7634cf53a3d |
| SHA512 | a4cb102a7280af6b888376a8d30dfe4317ac3e6eb6c1d2ced1bbc4f85b88253acaced7d4298e29fea60db078155fa3336ac6d68f46a8a4aa0543c2389afc7790 |
memory/1452-202-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 18a001235a93f7314a5a4286bf951450 |
| SHA1 | 9240cc0ec7eb515023dacfb1909b91ce9fc9a899 |
| SHA256 | 1704e68e6ff5cd8c59dd9819e0965d0071874356d76c15381592a2975f1935b6 |
| SHA512 | 35dda51fbf4a2fe50b6f4f968450b675d463583b263f59273eec787348103db5867afc65d1e171f87bb8241de85017e3b126608338d11eaed88f902a0fd71968 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 99453724a6f8bb51442aca58be1d7b6b |
| SHA1 | 370e12ff03f4080cbfb3614e01e176a7aa2c5709 |
| SHA256 | d8164197b672a95e9e306f82c727ef1fb7dc9995f28471af0edda3b4379bb565 |
| SHA512 | b42358d3fcf0b199aa16cdd70129f6db0094d16e21da47227a0157a9bcbccde14948b8bada1a237471f2915a3946a1510cfb858ca6866f8d69bcbaca3f1595c4 |
memory/2624-214-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 880cbfdfa637f46d615b8cbacbcf18ed |
| SHA1 | cabbdbcfe15475aff649bd6dd91d25bffee40e8d |
| SHA256 | ccc8800510bbd193695c0441cbf6a8d12cb0c020ba6fa21e6beac0761d0e1ba9 |
| SHA512 | e61845c2ada59a0eb6629af295aa74f6515f9ec83fdd119f81bbb57dc3b9947cf21717bc3e27bb90e75e92b2bc1d32c8b68fd3da07f3bec87d272241ddc77afb |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 16396abad749067964c55c6e0e5249b3 |
| SHA1 | 76e12ffd39e00f3e34513e10143ef85bb2a85022 |
| SHA256 | 38e7f8fb55a0ac1cfb7379e009f888aafe10db911fd489f02e645d9f81f0880d |
| SHA512 | 1244e44c41a8b424ce305caa68e2836cbaf526a38accead2437174e711a8237368b2ffab3215a10f8d4c4d1aefaf3a778cb768357f65b63b610ae34761b6b904 |
memory/4556-225-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4816-227-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 279a89a9d6e47da016beae62d5ac166d |
| SHA1 | 2a2bf28af16a939bfb45234ba6774b4db445b9d6 |
| SHA256 | 9d18b43464f6e5cf2db243d36bbed66f61da895233ef307c0e0529ef47abc1dc |
| SHA512 | 87e7f40b1a2da1c51ab2f845a1a873afec57d1e4d866bc5fdbe074cd0448da9b72b06d1541b2ba7b707a9e7055001f026ee33cc392d92c5f44d524deb86e1736 |
memory/5004-236-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | cb5f9fa74b512ff0126c074311ed04ca |
| SHA1 | 713b0fbc0e471097536c797471ff2dde8a3a3666 |
| SHA256 | 37f54dcbbd9f969b5114a5f213fc17d653f330d146196f25809aaa9390cbcc3f |
| SHA512 | 9915d56c430ad5cc454ffce5692ae20dfcc0300f8e4bf6994e30a52ccb36cd85a518bd4536c1b6998bef78b5e2868c2cdf51401f38036b4cbcff9c22d4ef4843 |
memory/4556-240-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b8a19e09e78cd2d3f6fd970a35eec693 |
| SHA1 | 4c8d7ce7797491440f6f6cf6aee27515bb47b4cb |
| SHA256 | b0b0a0e5f021cf3cbafafe43471d204db1962f5b598c73eff5e577f527ba3b7f |
| SHA512 | 9dd47ed817d4643049d94af0904a281e2171a7029284e395cc0d8a8efc82c30ef94a5324e3e1ae1dbf52797479bdfe6ef14876961a4dad8482880e2324552bc9 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1da6680f17d09523e837d411aef33f65 |
| SHA1 | 5ad31d910de7c236581f266b3ab0dfed89908c4e |
| SHA256 | f772d261e2ec8d9f12672e88466ad216a89217f1e052c58b9849ed0b7973da5c |
| SHA512 | e015e6e1797b3db68d63fe30513e54f06a76e6a871cbf23b6f13cced4f06cf9e28648f85bce6f001be2539730d658031ece0e739c5f15ae44e63ec96e5dc38cb |
memory/4688-251-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5004-253-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 92c84e7eee2217edd91398ca4b8009a8 |
| SHA1 | 778cd17dafd00a0ba142aab357e0c4d4f9e49747 |
| SHA256 | 69963ea923287af84c4e200e23a8a696c7cb0c95bb2d82c3d3d52ebdbc25734e |
| SHA512 | 1045855acfeaa575caa8bf2ecff9f00bda7bd234c1743bb4d0b735c07cd8cd6605713e5fa46a91a9373d66b8c356da5c19492d898ed10f463767824c31dd32a7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7813172b040518df1e9f471186f4351d |
| SHA1 | 6f4ee99f3721586358cbcab8341863371b652b46 |
| SHA256 | 32b9f744b0c2dba772987de8c2496a713ec1706fb732bf670de55d2b5dbf827f |
| SHA512 | 71782939535f6311ce26a7ad453dbe6409e24c5e62a92989a84d128dda556b3eaffa300bdfd585108af001566251656a29073a953ce1d28a391488784d55c461 |
memory/4688-265-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5da5538502cbf59250ad784803db2346 |
| SHA1 | 157c62acd640bb6179e4427cd27ba54b0910f1bf |
| SHA256 | 4bb46dcc26b885dcb7e1939b33f9f148ee16d060d742b2cb524b67e107b545ec |
| SHA512 | a2c3b3f453d5684d0bf1ac7ede5adc066109e55e15d8af9ab0eec973394fb90f11fb27170a2b2caae75c908a9cfd77362d7bcab0ed1411486605b752956a7185 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7c947effb62b830990cb5a2613b9d09b |
| SHA1 | 0aecb753990f914646c651c9f452e0b4ccd24919 |
| SHA256 | ac282170e26a86498e59ee33fd105bfe6074fd0d0251399704aad2faf4e95fbc |
| SHA512 | 040f2071cf95cb1a6b5124a9c164ab5c8be63c7b10c2cf6c58a5d491c88cdf9098a1df60292602dcf2536156308a6a272b14efbbfc9494ab1bdc240a8def5c67 |
memory/64-276-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4612-277-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2528-286-0x0000000000400000-0x0000000000430000-memory.dmp
memory/64-287-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4388-296-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2528-297-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1320-306-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4388-307-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1320-316-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4664-325-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3764-326-0x0000000000400000-0x0000000000430000-memory.dmp
memory/960-335-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4664-336-0x0000000000400000-0x0000000000430000-memory.dmp